> > Starting to provide a format, then stopping, is not very helpful. > CycloneDX is easier to produce and has more uoptake in ASF.
I had a look but couldn't find anything conclusive on which format works best for the EU Cyber Resilience Act. GitHub is exporting SPDX I think: https://github.blog/2023-03-28-introducing-self-service-sboms/ You can create one for Jena from https://github.com/apache/jena/network/dependencies and that will give you an SPDX JSON. Combining SPDX with RAT could be useful. > #TIL! I think RAT had/has some older issues (can't recall if in the tool, maven plugin, or both) but had a low activity. Maybe with that there will be more commits/releases. Links I have found useful: > Thanks for the links to external and ASF material! Someone shared links in the Commons security list too about SBOM discussing VEX files (OSV was also mentioned): - https://www.cisa.gov/sbom - https://www.cisa.gov/sites/default/files/2023-04/minimum-requirements-for-vex-508c.pdf - https://github.com/openvex ( PS SPDX can be RDF!, and in fact the maven plugin uses Jena! > Jena 3.10.0 :-( > Maybe we can ping someone that maintains it, or even send a PR to bump it to Jena 4, warning that there will be a jena5 soon too. Cheers, Bruno On Sun, 22 Oct 2023 at 11:11, Andy Seaborne <a...@apache.org> wrote: > > > On 21/10/2023 22:51, Bruno Kinoshita wrote: > > Thanks Andy! > > > > I had a go at the UI dependencies upgrade, and found some deprecation > > warnings (from vite I think) and e2e tests that need to be fixed. I'm > doing > > those tasks for the jena5 branch. > > Great - thank you. > > It's time to get 4.10.0 out and switch over. > > > Will also try to look at the BOM issues as I may need that for $work > > (future EU regulations and all). > > tl;dr: > > Let's publish CycloneDX and hold back on SPDX for now. > There's a lot going on in ASF and the picture will become clearer. > UI don't think Jena is special or different in its requirements. > > Starting to provide a format, then stopping, is not very helpful. > CycloneDX is easier to produce and has more uoptake in ASF. > > The US gov accepts CycloneDX as well as SPDX and Software Identification > (SWID) tag. > > I'd be surprised if the EU does not align, > > ---- > > > SPDX is quite detailed. It was originally for license management. I'm > begining to think it is less useful for simple machine generation and > expects manual configuration to at least check all it's deductions, and > probably change them. Having some coverage of license information but > not full coverage seems like a bad idea for both us and users. > > Interestingly, RAT has a class "SpdxBuilder". > Combining SPDX with RAT could be useful. > > In ASF, only Commons is producing SPDX that I can find. > > Links I have found useful: > > > https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/ > > IN ASF: > https://cwiki.apache.org/confluence/display/COMDEV/SBOM > > Discussion on > https://github.com/apache/logging-log4j2/issues/1707 > -- worth tracking > > and e.g. > > https://github.com/apache/spark/pull/39401 > Dongjoon Hyun has been doing quite a few of the PRs > for adding CylconeDX to projects so his work is getting > wide review. > > Andy > > PS SPDX can be RDF!, and in fact the maven plugin uses Jena! > Jena 3.10.0 :-( > > > > > Cheers, > > > > Bruno > > > > On Fri, 20 Oct 2023 at 11:56, Andy Seaborne <a...@apache.org> wrote: > > > >> > >> > >> On 19/10/2023 22:21, Bruno Kinoshita wrote: > >>> Great progress Andy! > >>> > >>> I saw that you created several issues for Jena5. > >> > >> Sorry - because it's a branch, github hasn't closed them when the PR was > >> merged. > >> > >> > https://github.com/apache/jena/issues?q=is%3Aissue+is%3Aopen+label%3AJena5 > >> > >> should make things clearer > >> > >> There's always a lot of things that would be nice but that then delays > >> the release. > >> > >> I'm going through my notes and I'll raise issues. > >> > >> + There is one "must" change: normalization of language tags. > >> > >> https://github.com/apache/jena/issues/2039 > >> > >> because that impacts on-disc data. > >> > >> + The SBOM SPDX files don't look very good - too many NOASSERTION. > >> > >> > >> > https://repository.apache.org/content/groups/snapshots/org/apache/jena/jena-arq/5.0.0-SNAPSHOT/jena-arq-5.0.0-20231018.142515-1.spdx.json > >> > >> but maybe that is just how it is. I'm not sure what "good practice" in > >> ASF is or what "good practice" is generally (e.g. SBOMs for every > >> artifact is best or are they just clutter?). > >> > >> Many projects produce CycloneDX files but not SPDX. > >> > >> > Are there any easy ones that you need help with? > >> > >> 2048 maybe > >> > >> Should we do a general update of dependencies in FusekiUI? > >> > >> Andy > >> > >>> Cheers > >>> Bruno > >>> > >>> On Wed, 18 Oct 2023 at 17:15, Andy Seaborne <a...@apache.org> wrote: > >>> > >>>> > >>>> > >>>> On 12/10/2023 10:05, Andy Seaborne wrote: > >>>>> > >>>>> On 06/10/2023 11:47, Andy Seaborne wrote: > >>>>>> There's a large PR for a new branch "jena5" > >>>>>> > >>>>>> https://github.com/apache/jena/pull/2029 > >>>>>> > >>>>>> of what I've managed to do so far. > >>>>>> > >>>>>> It's not finished. > >>>>>> > >>>>>> Andy > >>>>> > >>>>> I'd like to bring the PR in as a branch and setup Jenkins to produce > >>>>> snapshot artifacts. > >>>> > >>>> Branch setup, code merged to branch "jena5" > >>>> > >>>> There will be forced pushes due to rebasing to "main". > >>>> > >>>> This will end when Jena 4.10.0 is released which makes a nice, clear > >>>> point at which to create a jena4 and make main jena5 development. > >>>> > >>>> There are one or two items that need to go into 4.10.0 ebfore that can > >>>> be released. > >>>> > >>>> Jenkins is deploying 5.0.0-SNAPSHOT to the Apache snapshots > repository. > >>>> > >>>> https://repository.apache.org/content/repositories/snapshots/ > >>>> > >>>> Andy > >>>> > >>> > >> > > >
